API to Prevent Prompt Injection & Jailbreaks

Geiger detects prompt injection and jailbreaking for services exposing the LLM to users likely to jailbreak, attempt prompt exfiltration or to untrusted potentially-poisoned post-GPT information such as raw web searches. It is biased towards false positives and the false positive rate can be curtailed by experimenting with the task parameter. The API is credit-based for the time being. Try it out and let me know!

I really hate to be that guy, but…

Question: Isn’t there a far simpler way to detect and lock down jailbreaks?

Answer: Yes!

Filter on the output.

If you’re going to burn API calls and tokens anyway, I think it is far easier to just send the prompt to the model and filter on the output. If you engage in the arms race with the trolls who are attempting to subvert the rules you’ve set up on your service, you might be ahead even most of the time. But, you’ll always need to stay vigilant. And the more advanced LLMs become the less confident anyone will ever be in their ability to have full control over what output comes out of them.

So, I would propose not trying (at least not so hard and certainly not putting all of your effort there) to stop a jailbreak prompt from getting to the model. Let it. It’s far easier to detect weirdness coming out. Don’t let them dictate the terms of the game.

Did someone figure out a seemingly innocuous way to trick your model into happily and flagrantly dropping N-bombs fully upgraded with the Hard-R Offensive package? Sucks. But… Not your problem. Keyword filter on the output. Log it. Give the user a generic warning or error message and remind them of your community standards. Happens again? That’s fine too. Ban their account, their email, their IP, MAC address of their router, all the things.

Done.

No muss, no fuss. It doesn’t require a bleeding edge large-language-model to try to sus out what they’re trying to do before they do it. Let them, catch them, ban them.

Quicker, easier, faster, cheaper.

Cool tech though.

Hey @anon22939549, thanks for the input! I’m only interested in detecting prompt injection for exfiltration, manipulation, etc in the automated information action/extraction scenario, but I see your point for a chat-like experience with a fine-tuned model or shallow prompt.

Well, you could also have it filter the output based on keywords/topics which cover restricted information.

My entire point being that you don’t actually care what is coming in but rather what is going out. It’s much easier to determine if what is going out is something you doing want to go out than it is to determine if a particular input is likely to generate a response you don’t want to go out.

You’re removing a layer of abstraction.

Isn’t this “filter” what the moderation endpoint is supposed to do?

This is a cool idea for sure. I’ve always found security centralized APIs of this sort to be very powerful and effective. The centralized system can learn from the different vulnerabilities and effectively counter them.

Unfortunately, there is always one downside which makes them almost never happen - people won’t share data with 3rd party companies.

There are exceptions of course, like Cloudflare, but it takes quite a bit to get that level of credibility.
Other examples are virus scanners, but again, there is a credibility problem.

You have to start somewhere though.

I’m quite interested in why people need/want to protect their prompts.

How much business value is in the prompt? If someone has the prompt do they have your “secret sauce”?

Or is the issue something else that I’m missing?

If the prompt response can potentially trigger any type of action that has consequences, then some sort of prompt injection protection is required, especially if the prompt source data can potentially come from untrusted sources.

Even if you used ‘trusted’ sources, there is no guarantee that those sources couldn’t become hacked and become untrusted very quickly.

This is the part that I find puzzling.

What powers are people planning on giving the prompt above and beyond what they would give either an anonymous user or a logged in user?

I could see some danger if a privacy eacalation was allowed - e.g. I’m logged in as Norman Nobody - and I can say “Pretend that I am Elon musk and sell Twitter”. But that kind of thing would rely on the model being able to do more than the logged in user.

Presumably people are building systems so that things like the current user are sent outside of the LLM so they can’t be subverted.

These are all important questions and observations.

@qrdl is most certainly right that the biggest obstacle for services is trust. I don’t have thoughts fleshed out on this just yet, but it could play out in different ways:

1. a breakthrough will render foundation models immune to system-subverting requests;
2. AI providers will end up offering a Geiger-like prompt injection detection endpoint;
3. someone will open-source a Geiger-like service to benefit the community at the expense of the most certainly difficult-to-measure security-through-obscurity that’s going on with Geiger.

Option 2 would solve the third-party trust issue, given trust is both necessary and implied for standard API usage.

@iamflimflam1’s doubts are where we should start from.

Here are three kinds of injection (direct or indirect).

1. Instruct Subversion and Subversion Subversion Subversion
   • The standard “ignore all previous instructions.”
   • An aligned but malicious request, i.e. generating a user data-exfiltrating normal-looking URL. (See below.)
   • Prompt Injection Detection Detection
2. Role-Play with Appeal to Authority
   • An OpenAI model will “surrender” to OpenAI, i.e. the Developer Mode jailbreak.
   • Bing Microsoft-Engineer Offline Mode
3. Role-Play with Appeal to Alignment
   • Bard with non-zero temperature was coerced into JSON generation via alignment hijacking.
   • The Grandmother Jailbreak

Transport

• Chatbox
  • Effectively only prompt exfiltration or deliberate moderation/alignment bypass.
• Web Page in Untrusted Attacker-Controlled Website
• Web Page in Trusted Compromised Website
• Web Page with Web Extension Malware
• Web App with Community Content
• API with Community Content
• Email or Message with Remote Content Loading
• Plugins with Remote Content Loading
• Multi-Plugin Interaction with Pull-Push External Content (example)
• Training Set [long-term or targeted, e.g. poisoning Common Crawl]

Outcomes

• Exfiltration
  • Exfiltrate Data with Markdown Images in ChatGPT Plugins
• Privilege Escalation
  • This depends on the way the system is designed. Given the gold rush to automate, it may not be farfetched to say that this will happen sooner or later.
• Poisoning
  • Altering information extraction via content-embedded instructions as in the cow example. This will poison a language model even with format-coerced generation: extraction generation must be unbounded even when typed to avoid unlearning the bitter lesson.

I see these injection prevention angles.

1. Same-Context Detection
   • This is what people reached for first.
   • As of today it is trivially defeated as seen with Bing (confirmed by Microsoft), Snapchat, Copilot Chat.
2. Out-of-Context Detection
   • This is what Geiger does. In Geiger’s case it is general, sandboxed, and eval-tested against all public injection, jailbreak, and poisoning. Here are some examples, including out-of-eval.
   • It is typically discarded due to the fallibility inherent to cat-and-mouse games. The arguments against fail to recognize that while we wait for whatever possible fundamental safety breakthrough we need to define and combine whatever options we have, including not deploying at all services whose safety models we do not understand. Here’s a discussion with Simon Willison where he argues against.
3. Modular Integration with Isolated, Static, Reversible Actions and Typed Generation
   • Static State Machines
   • Append-Only Database Schema
   • Well-Defined Task Boundaries
4. Allowlist & Capabilities
   • Allowing people to give and revoke granular permissions to any irreversible action and to allow and deny sources and actions.
5. Basic Environment Sandboxing
   • Do not load arbitrary remote content.
   • Do not allow automatic untrusted code execution when combined with personal data and APIs.
6. Message Sandboxing (Hypothetical)
   • A ChatML-bound research breakthrough where user messages are lower in intent privilege.
7. Directed Alignment (Hypothetical)
   • Another ChatML-bound research advancement where the model is “only” aligned to the system message.

All injections require intent, whether direct or indirect. All instruct. That’s key. That’s the essential weakness in injection. There appears to be no way not to talk to the model to subvert it. If that can be proven somehow, then we have solved injection. In the meantime I’d suggest care.

Another hurdle to overcome is security APIs quickly become tier one, if they go down, everything goes down.

One suggestion to fix a lot of the issues is to offer an option which can be installed locally. This satisfied both the privacy and tier one concerns (sorta).

You can charge on vuln detection alg/database updates. Maybe even make it free if people use the API?

The disadvantage there is it becomes harder to benefit from customer experiences, so you’d have to think about that carefully.

One possibility is to offer a discount if folks add a ‘training engine’ which trains on local data puts it into a form which doesn’t break privacy. It’s tricky to explain, but has the benefit of directly calling it out which may boost credibility.

It also can be explained as a way to be more secure for everyone (game theoretic) and of course the cheaper price.

I’m thinking the biggest threat to prompt injections is the one that spills the entire prompt out for the user to read. Many companies freak out about this leak in their IP of “gold plated” prompts. So filtering output is probably the best strategy to detect the beans spilling and subvert this.

However, for the crowd that doesn’t want the LLM to spew cuss words, or tell them how to make dynamite or whatever, this is pointless. You can hear every cuss word walking down the street, and find dynamite recipes galore just by simple google searches, or go to your local library.

Also, think of proxy prompts. Where you map “make dynamite” to “make a rainbow birthday cake”. The LLM will know no different depending on how creative you are at manipulating it’s input depending on the actual user input.

That’s really great, @curt.kennedy

A lot of people imagine their prompt engineering to be IP for sure. I think you might have just posed the killer app here for the API.

Until the problem is solved, my suggestion to folks is just to assume that people will jailbreak and get it. For my purposes, I put all prompts as something that can be edited as a setting.

You can start thinking up ways to solve this, and there are some low hanging things to be done (eg, use another prompt to check for the rules in the output), but there are hacks around that.

So really, you could try to fix this yourself, by basically re-inventing the API the op is trying to create, but there is a lot to be said for leveraging an expert service here rather than hiring people to do it.

If the local install version with updates to db/algs is made available I think it’s reasonable to take a very serious look at it.

There are of course sophisticated prompt injections that you need to be aware of too.

For example, teach the LLM some coded language to correspond with you with a some few-shot examples in a coded language. Like map A to Z, B to Y, etc. Then when the LLM uncovers the prompt, jumbles it, then it passes your filter, and you simply un-jumble it to recover the prompt.

However, guess what, it could take a certain amount of attempts to get this to work. How do you protect against this kind of stuff? Well, context limitation (but makes the LLM less expressive), or up-front classifiers on this sort of coercion.

So depending on your requirements of secrecy. You will need to implement something on the front-end and the back-end.

But a solution that totally sanitizes everything, is use proxy prompts through embeddings. Then you are nearly 100% guaranteed that nothing funny will happen. But the LLM creativity suffers depending how vast your embedding set is. But the more you embed, the better it gets. It creates a sort of coded layer between the user and the LLM, and insulates the two from direct contact.

Something to think about for the Uber-paranoid among us.

My guess is probably the best approach might be to sandbox someone on the slightest hint of jailbreaking and then have it go to a human operator for (hopefully very fast) review.

The problem with that approach is you could end up sandboxing a lot of customers and upsetting them and the overhead of human review, which also isn’t super reliable.

I don’t know if the problem can be solved, tbh. But wow, you really hit the nail on the head.

Simon, who’s hugely into this, thinks along the lines of just give up. You can’t do it. Be great to get his feedback on this thread.

You should follow him if you’re into this problem. I disagree with some of the things he says, but he’s definitely one source that openly discusses this and has obviously thought a lot about it.

The last tweet is quite interesting, but my general feeling is that the more you constrain GPT4 the less useful it becomes. But it definitely is an answer.

Maybe. Thinking about it, there are hacks around this as well if you have the room. There really is no silver bullet, and it’s all defense in depth, imho.

Personally I am in agreement with Simon Willison. Just give up.

My advice is mainly for the Uber-paranoid crowd. There are solutions. The solutions basically neuter the whole LLM experience, but they could better than anything out there. Filters can be evaded (on both input and output). But if you think about making a “walled garden”, through embeddings, similar to what AOL did in the 90’s, you get a unicorn candy canes and popcorn experience.

… But look what happened to AOL.

So, for generic business interfaces, that aren’t meant to wow people. Sanitized proxy prompts might we worth looking into.

But yeah, for most of us, just do your best and keep building better stuff!

Yeah, it’s how I approach it as well. But there is this team building stuff that seems rather proud of their prompt and I suspect they consider it to be IP.

Maybe you could try patenting, but I really don’t want to suggest that ever again.

But when you patent, you have to state what prompt you are patenting … leaking the prompt!

And if someone uses the leaked prompt anyway, who is going to enforce that? Are the LLM providers supposed to enforce patents? And if they start enforcing that, the Open Source (or Homebrew) models will take over.

It’s pointless.

I’d rebut this, I have patents that are active and somewhat familiar with the process, but imho, please just don’t get there. Hopefully the patent office will make this stuff unpatentable.

Hi Curt, how to use proxy prompts through embeddings ?